Privacy and Security

This week eClinicalWorks resolved a lawsuit by agreeing to pay $155 million for falsely claiming it met Meaningful Use (MU) EHR certification criteria. Although the alleged behavior of eClinicalWorks was wrong, we have much more serious problems inflicted by the government-run EHR certification criteria.

The business of EHR vendors is to gain clients and earn profits. Developing innovative tools that help physicians care for patients should be the primary focus of their business. Instead, vendors are held hostage to government-run certification criteria that are constantly changing and sometimes ambiguous. While I do not condone the apparent behavior of eClinicalWorks, I am much more concerned about the certification processes that led to this situation.

The certification process evolved out of the 2009 HITECH Act that promoted the use of EHR technologies by offering incentive payments to hospitals and physicians who successfully adopted and used EHRs. This resulted in an unprecedented rush of business for EHR vendors. While EHR vendors began ramping up resources to meet the demands of the sales cycle and EHR implementations, they were also hit with government-imposed EHR certification criteria--criteria that are still changing frequently and sometimes are ambiguous. This exponential increase in EHR client demands along with rapidly changing certification criteria crushed EHR vendor resource availability. This constraint on resources forced them to focus on developing and testing EHR products to meet the specific certification criteria required by the government. In my opinion, the unintended consequence of overwhelmed EHR vendors is that they then did not have available resources to focus more on:

Improving usability

Identifying and managing patient safety risks inherent to EHR use

Developing innovative tools and functions that actually improve how physicians care for patients

As a result, EHRs were developed to meet MU EHR certification criteria, but failed to improve poor usability. EHR products could meet certification criteria, yet fail to adequately address patient safety risks associated with implementation and use. And the constraint on EHR vendor resource availability remains an impediment to the development of innovative tools and functionalities that EHR vendors really should be focusing on today.

Physicians do benefit from EHR certification by reducing risk during the EHR selection process. That is why the Certification Commission for Health Information Technology (CCHIT) was created in 2006 as an independent, not-for-profit group. CCHIT certification was based on a consensus of stakeholders who determined core functionalities that a basic EHR should provide. I participated in that effort, albeit in a brief, very small way (providing some input on pediatric core criteria). I recall we were careful to avoid requirements that could hinder EHR product innovation. CCHIT ceased operations in 2014 after the government created the MU EHR Certification program.

CCHIT certification was much less prescriptive than what the government imposes today. Less prescriptive EHR certification was, in retrospect, the right approach to take. And we did it without government involvement. Government works at its own hindered pace, and that pace is much slower than what an unencumbered EHR market could accomplish. I think the government needs to get out of the EHR certification business. But whether government remains involved or not, the EHR certification process needs to learn from CCHIT and rely more heavily on building consensus of physician stakeholders. We will do what is best for our patients.

So, this week one vendor was called out by the government for false claims regarding EHR certification. But that one vendor is really not the problem. The real problem is that the development of all EHR products has been, and still is, impeded by the government's EHR certification program.

Discharge instructions for a child’s insulin dose were correctly entered into the electronic health record (EHR), but when the mother received the printed instructions there was a decimal point error resulting in a 10-times dosing error. This error was fortunately noticed by the bedside nurse and corrected manually. I reported this near-miss to the EHR vendor and they corrected the technical problem. However, when I asked vendor representatives whether or not this problem was being corrected with other physician clients across the country, they informed me that no other client had reported such a problem.

This is analogous to a situation where an airbag explodes and sends shrapnel into your face. You might ask the automaker whether this is a problem with their other vehicles. They might tell you that they are not aware of others having the same problem. However, in the transportation industry they are required to report safety incidents and near-misses. These reports are collected, aggregated and analyzed by the National Transportation Safety Board (NTSB). If NTSB notices a trend in airbag-induced shrapnel injuries, they will initiate an investigation. When NTSB discovers a problem with a specific airbag that is used across multiple types of automobiles, not just the type you purchased in your own state, then they are authorized by Congress to make safety recommendations to help ensure the risk is appropriately managed across the industry.

This insulin dosing incident is one of many health IT-related patient safety risks I have encountered and resolved in collaboration with an EHR vendor. When my experience is extrapolated to the experiences of all physicians and EHR vendors, the scope of health IT-related patient safety risks can be seen as immense. But unlike the safety of interstate commerce produced by the auto industry that is overseen by the NTSB, the safety of interstate commerce produced by EHR vendors has no cohesive oversight mechanism.

The lack of oversight for health IT-related patient safety incidents and near-misses creates a hazardous patient care environment that I believe is urgent for Congress to address. The threat is increasing because the Meaningful Use Program (MU) has led to an exponential increase in the use of EHRs and other technology. As a result, physicians are assuming a higher level of risk and accountability for computer programs, networks and infrastructures that are increasingly used as tools to generate patient care actions and facilitate medical decisions. Although health IT-related patient safety risks would best managed through a shared accountability between physicians and EHR vendors, the vendors are not currently held accountable for patient safety. Furthermore, the aggressive MU timelines have required EHR vendors to make rapid changes to EHRs without sufficient time to align changes with efficient physician workflows or to improve the flow of data between systems. As a result, EHRs are increasingly plagued by poor usability problems and lack of interoperability between EHR systems--both of which are patient safety risks that physicians commonly encounter.

So it is time to urge Congress to create a National Health IT Safety Center that can implement an effective EHR safety program designed to reduce EHR-related patient safety risks. Within this concept EHR vendors could be required to report patient safety incidents and near-misses to the Health IT Safety Center similar to how transportation safety incidents must be reported to the National Transportation Safety Board. The Health IT Safety Center could collect, aggregate and analyze reported data. It could have power to investigate incidents involving patient harm and require EHR vendors to make appropriate changes. It could monitor near-misses to identify trends and risks. It could coordinate with other agencies to develop and broadly disseminate educational information and tools that mitigate identified patient safety risks related to technology use.

I also envision that this resolution would lead to an entity that has the authority and influence to drive improvements in EHR usability and

interoperability, which are the two most significant impediments to effective and meaningful use of electronic medical records.

I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few. It was the rest of his story that was so disheartening. As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation". The complexities of technology had held him and his group hostage for three weeks. At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management. He needed to vent. I needed to listen.

And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs. I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise. Perhaps the recent rise in ransomware attacks will actually be beneficial. A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.

Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained. HIPAA stuff. And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously. But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored). Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice. It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office. At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed. This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.

There are ways to reduce the threat of ransomware attacks and other health IT risks. A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals. Steps can then be taken to reduce the chances of being victimized. Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.

But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves. Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice. That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt. For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.

Nevertheless, no system can be 100% "downtime-proofed". So even if a physician practice adopts best practices for security risk management, they must be prepared for a disaster to strike at any time. After a disaster strikes, maintaining the ability to effectively care for patients must be the first priority. I have coined the term, "clinical continuity planning", to characterize this planning. I base the term on a similar commonly used term, "business continuity planning", which is the plan businesses develop to maintain daily operations during technology downtimes and disasters. A physician office certainly is a business and should have a business continuity plan to maintain economic viability during disasters. But the life-and-death nature of patient care is so unique that I believe a clinical continuity plan should be developed by each practice and be considered as the first priority in disaster planning. Business continuity is integrated with clinical continuity and is also vital to the physician practice, but it should be considered as a lower priority. In the real world this means that when weaknesses in security and downtime planning are identified, clinical continuity weaknesses should be addressed before business continuity weaknesses are addressed.

The most effective protection against a ransomware attack and other types of "downtime" is to have a complete back up of EMR data and an ability to quickly restore the EMR system. If the practice can do that, they may not have to pay a ransom, and the impact on patient care can be minimized if the back up and restore tools/processes are effective.

With the rise of ransomware attacks I believe the primary focus of health IT risk management for physician practices should be to ensure an acceptable degree of clinical continuity can be maintained during EMR downtimes. Secondarily, the practice should understand the tools and processes that are in place to back up and restore the EMR in the event of a disaster. And to make sure they get tested. The first time a physician discovers that it will take 3 weeks to restore their EMR should not be after a real disaster strikes.

The idea’s time has come. The U.S. healthcare system needs a national, independent entity empowered by Congress to oversee health IT patient safety. Now.

In today's world a health IT-related patient safety issue that is identified by a physician practice or hospital is investigated and managed in a nontransparent manner by the individual provider and the EHR vendor.

Although the issue may be escalated to a local accountable care organization (ACO) or patient safety organization (PSO) that providers are increasingly becoming associated with, neither the issue nor the results of the investigation are reported to a statewide or national oversight entity. The patient safety data is therefore not collected, aggregated and analyzed at a state or national level. Without such oversight we are missing out on the opportunity to identify known avoidable health IT risks to patient safety and failing to disseminate knowledge on how to manage those risks. For example, if an issue is resolved at the physician practice between the physicians and EHR vendor but is not addressed at other practices that use the same EHR, then patients at those other practices remain at risk.

I have observed EHR vendors tune in to patient safety issues more keenly in the past decade and sometimes make more visible efforts to ensure identified issues are addressed with all customers and not just the ones who report issues. And let's be clear that a majority of EHR-related patient safety risks are related to how an EHR product is being used or implemented by their clients and not due to inherent technical flaws with the vendor's product. Nevertheless, patient safety should be viewed as a shared responsibility between the physicians, their practices or organizations and the health IT vendors. Identifying and managing patient safety risks is done most effectively when all cooperate in a team effort.

In Texas there had been discussions within the Texas Medical Association about establishing a central, statewide EHR patient safety entity to monitor and manage health IT-related patient safety issues. The data would be rolled up from hospitals, physician practices and patient safety organizations across the state for aggregation and analysis. However, it became evident during those discussions that it would be feasible and much more beneficial to establish governance at a national level.

So why does this need to be a new, independent national agency charged by Congress to oversee health IT patient safety?

Today there are many government agencies and private entities that I believe could and should contribute to patient safety surveillance and improvements, but none have the expertise, assets and time that are necessary to coordinate a national effort. In addition to the complexity involved with collecting and analyzing data from hundreds of institutions and PSOs, there are hundreds of unrelated EHR vendor products being used. There is not yet any available registry of health IT products, many of which are subdivided into multiple versions that sometimes vary widely in their available functionality. As a result, I strongly agree with the observations and recommendations described in an article by Singh, Classen and Sittig (J Patient Saf, Dec 2011; 7(4): 169-174) calling for a national patient safety board that is an independent government agency structured similarly to the National Transportation Safety Board. This entity would be charged by Congress to oversee HIT patient safety and coordinate with other agencies who can contribute to improvement in patient safety such as the Office of the National Coordinator, the Federal Drug Administration, the National Institute of Standards and Technology, the Agency for Healthcare Research and Quality, the Center for Medicare and Medicaid Services, the National Quality Forum, local patient safety organizations, local healthcare organizations who collect patient safety data, other local EHR patient safety reporting entities and industrial (EHR and HIT) trade associations. All of these entities need to function in a cooperative fashion in order to effectively identify and manage health IT-related patient safety risks.

The recent health IT report from the Food and Drug Administration Safety Innovation Act (FDASIA Health IT Report) proposes a framework to improve health IT-related safety risks including a proposed National Patient Safety Center.

I am concerned, however, that the proposal does not appear to provide this entity with enough authority to get the job done effectively. A national patient safety entity must have the authority to not only monitor activity and provide learning opportunities for vendors and providers, but also to regulate activities, investigate events, ensure issue resolution and require compliance. I do not see enough "teeth" given to the entity proposed by the FDASIA report.

The primary focus of a national Health IT Patient Safety Center should be on the dedicated surveillance of HIT-related safety risks and to promote learning from identified issues, potential adverse events (“close calls”) and adverse events. But it must also have the authority to effectively manage identified risks and ensure compliance with best practices for health IT patient safety.

As discussed in my post"New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails. In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception. The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance. Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

As discussed in my post"New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions. For example, one of the new requirements impacts employee privacy training policies for the physician practice. As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open. An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week. Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security and remain vigilant when managing PHI. In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act. HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI. New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years. A log must be maintained with employee signatures verifying their attendance. Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

As discussed in my post"New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. In a series of weekly blogs I am writing to illustrate some of the new protections. I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws. Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised. The breach involved PHI of 1.085 individuals. In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service. The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI. This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI. Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws. Matters to address in a BAA include:

Immediate notification to practice when BA discovers breach

Who notifies affected individuals? Who bears the cost?

Contract termination for failure to comply with law or take "reasonable" steps to fix breach

Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Privacy protection is getting bigger in Texas. Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act. These amendmentsincrease protection of electronic personal health information (PHI) and become effective on September 1, 2012. HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA. Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI. But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks. In the next month I know of two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th. Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300. Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online. Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.